Microsoft sued Fancy Bear to gain control of the domains used in the cyber espionage campaigns

Microsoft used the lawsuit to disrupt a large number of cyber espionage campaigns conducted by infamous Fancy Bear APT hacking group

We have discussed several times about hacking back and the case we are going to analyze is a good example of an alternative approach to hit back an APT group.

Microsoft used the lawsuit to disrupt a large number of cyber espionage campaigns conducted by infamous Fancy Bear APT hacking group (APT28, Sofacy, Sednit, and Pawn Storm). The experts with the help of the authorities took over the command and control infrastructure of the group in order to analyze the traffic and the targets of the malware by using the lawsuit as a tool.

“A new offensive by Microsoft has been making inroads against the Russian government hackers behind last year’s election meddling, identifying over 120 new targets of the Kremlin’s cyber spying, and control-alt-deleting segments of Putin’s hacking apparatus.” reported the daily beast.

“How are they doing it? It turns out Microsoft has something even more formidable than Moscow’s malware: Lawyers.”

Microsoft sued Fancy Bear in a US federal court, accusing the APT group of computer intrusion, cybersquatting, and reserving several domain names that violate Microsoft’s trademarks.
Fancy Bear is active since at least 2007 and was one of the APT groups involved in the numerous cyber attacks against the US DNC and 2016 Presidential Election.

Numerous reports published by security firms linked the APT group to the GRU (General Staff Main Intelligence Directorate), the Russian secret military intelligence agency.
The experts at Microsoft observed Fancy Bear hackers often using domain names that look-alike Microsoft products and services, such as livemicrosoft[.]net and rsshotmail[.]com, for its cyber espionage campaigns.

The abuse was exploited by Microsoft to sue the hacking group with “unknown members” into the court of justice and gain the ownership of domains used by Fancy Bear to deliver malware.

“These servers can be thought of as the spymasters in Russia’s cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents,” the report reads.

Last year, the U.S. District Judge Gerald Bruce Lee granted Microsoft’s request and issued a then-sealed order to domain name registrars “compelling them to alter”the DNS of at least 70 Fancy Bear domains. The traffic was redirected to servers controlled by Microsoft.

Technically the procedure is called ‘sinkholing‘ and allows investigators to monitor the traffic from the infected systems to track the botnet infrastructure.

This is the precious work done by the Digital Crimes Unit that has identified the potential victims of the Russian APT.“By analyzing the traffic coming to its sinkhole, the company’s security experts have identified 122 new cyber espionage victims, whom it’s been alerting through Internet service providers,” the report reads.

Microsoft is still waiting for a final judgment on the Fancy Bear case. The hearing has been scheduled on Friday in Virginia court.

“Microsoft concludes in court filings that its efforts have had “significant impact” on Fancy Bear’s operations. By analyzing the traffic coming to its sinkhole, the company’s security experts have identified 122 new cyber espionage victims, whom it’s been alerting through Internet service providers.” concludes the report.”On Friday, the company is set to ask Magistrate Judge Theresa Carroll Buchanan for a final default judgment against Fancy Bear, and for a permanent injunction giving Microsoft ownership of the domains it’s seized.”

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.